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ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
Capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 Does the draft guidance cover the relevant issues about the right 
of access? 
xX Yes 
No 
O Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


Q2 


Does the draft guidance contain the right level of detail? 


Yes 
No 


Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


In the ‘How should we supply information to the requester?’ section, it would be helpful if 
you could also include advice on what to do if a requester asks for the data in more than 


one format, e.g. electronic and hard copy. 


Q3 


Does the draft guidance contain enough examples? 


Yes 
No 
Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


The guidance states that a request may be excessive where it “repeats the substance of 
previous requests and a reasonable interval has not elapsed”, however is not necessarily 
excessive where an individual “wanted to receive a further copy of information they have 
requested previously (instead you can charge a reasonable fee for the administrative 
costs of providing this information again)”. 


We have a data subject who has submitted one SAR every year for the past four years. 


Our approach to date has been to supply them with all material from the date of the 
previous SAR to the date of the new request. However, on our reading of the guidance as 
it stands, they could now decide to request everything they’ve ever had again, and we 
have to provide this to them because we can charge them for the administrative costs. 
This doesn’t in our view take account of the staff resources required to provide data to 
subjects which they have previously been provided with. 


Q5 On a scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
O O O L 


Q6 Why have you given this score? 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
O O O O 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance 


On page 16 - “How long do we have to comply” - you seem to have reduced the time 
organisations have to respond to SARs by a day by counting the time from the day the 
request is received, whereas in the past it has been from the day after date of receipt. As 
the time to respond has already been reduced from 40 days to one month, it seems 
unfair to reduce it by a further day. It also seems odd that you have already updated 
your current guidance on this point - before the consultation has taken place. 


Also on this point, the guidance says you calculate the time from “the day you receive the 
request, fee or other requested information...” although on page 23 where you cover 
“clarifying the request” you say the time limit starts even if you are seeking clarification. 
These two points seem to contradict each other. 


On page 23, you cover “clarifying the request”, which you are now saying does not affect 
the time scale for responding - another change. But if we cannot wait for the requester to 
respond to a request for more information, wouldn't this constitute disproportionate effort 
to start searching for their data without the further information requested? Your example, 


if slightly reworded, would illustrate this perfectly. If the employee had said their request 
was limited to information about the complaint, the supermarket could have put in a lot 
of resources to locating other data that wasn’t actually required. We have examples 
where requesters ask for data relating to a complaint about them. The data may stretch 
back over a number of years, while clarification may result in a request only for data from 
the past year. 


Also in such cases, would it not also be reasonable to ask requesters to prioritise the data 
they want, if it does go back over a long period, particularly if the data cannot all be 
provided within one month and an extension is needed? 


On page 36 “What does excessive mean?” you say it is not ‘necessarily’ excessive if the 
individual askes for a further copy of information they have requested previously, and 
that instead an organisation could charge a reasonable fee to provide another copy. But it 
isn’t clear whether an organisation has to do this, or whether they can refuse the request. 


Q9 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

X On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


General Council of the Bar 


What sector are you from: 


Q10 How did you find out about this survey? 


O ICO Twitter account 
O ICO Facebook account 


ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 
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Thank you for taking the time to complete the survey. 


